“Organizations should adopt a comprehensive and integrated strategy that encompasses all areas of security risk”
(ASIS Standard)
Historically many organizations have managed security functions as independent functions without recognition of the interdependencies between the physical and the logical security world.
Convergence of the security disciplines is key to an effective enterprise security risk management program. Failure to integrate the disciplines would most likely increase the level of risk for an organization and could introduce unnecessary vulnerabilities. At a minimum, I am talking about the information and physical security world. But, one could also conclude that bringing in Privacy, Risk, Compliance and Governance also makes sense.
I am not surprised when I talk with a member company (or potential member company) to learn that their security functions are in silos with not much cross communication/collaboration going on. I have even been engaged with members whose information security and physical security functions in silos to the point whereby one side is unaware of the other’s activities. This is an obvious enterprise risk management (ERM) challenge, but there are organizations that continue to function in this manner.
Security Convergence: A Holistic Approach to Security
Converged security/risk management offers a more holistic approach and there are many benefits. In addition to physical and logical security, risk management and general business benefits can also be realized. To be clear, I am not merely talking about the merger of security organizations (although that is a viable option), but more about developing practices, policy and governance that ensures that the all security related activities function in a coordinated way with each discipline supporting the others.
The first benefit from convergence is the cost savings that can be realized. The re-alignment of teams may allow for better utilization of personnel resources. This could mean the re-allocation of resources to fill gaps and cross training team members to perform multiple duties in either domain, etc. Leveraging teams in a more efficient manner makes good business sense and builds continuity across all of your security related functions. Finally, convergence will illuminate duplicate roles and allow for the opportunity to better address resource allocation.
Convergence should include convergence of technology as well. Think about the technology tools used in the physical security realm today. IP based centralized security systems for CCTV, access (physical) control, alarm monitoring, and the associated systems. Bringing all of that together in a security operations center (SOC) provides a single (maybe multiple SOCs) collection analysis point for security professionals. This enables the sharing of all relevant security/threat/risk data. Furthermore, having security analyst(s) from both disciplines in the same SOC increases the likelihood and speed of information sharing across the teams. Bringing teams together is to everyone’s benefit.
Finally, security convergence can provide a single “hand to shake” for the organizations. Alignment of all security functions under a single security organization lead by an executive-level security person (be it CSO or CISO) would shorten the timeline of relevant information provided to senior leadership and decision makers. Furthermore, it should reduce instances of inaccurate or erroneous information making its way to the executive suite. Depending on the structure and culture of the organization, the CSO/CISO could report into the Chief Risk Officer, the Chief Information Officer or even the Chief Executive Officer. Also, security risk is a board level conversation and should be sponsored by and owned at that level.
Benefits of security convergence include, but are not limited to:
- Cost saving through the merger of teams and technologies
- Reduction in tool duplication
- Reduction is role duplication
- Allows for the re-alignment of resources to better fit business/security goals
- Improved information sharing
- Increased efficiencies through the leveraging of the teams and technologies
- Single point of contact for the flow of information to senior leadership
- A single enterprise security vision
- Elimination of internal “turf wars”
- Elimination of silos of information
- Improved alignment of business and security goals
The idea of security convergence is not new. In fact, convergence is happening whether you realize it or not. Use of the same infrastructure for information and physical access control is now common and can result in real savings, improved risk mitigation and increased business and security efficiencies, we should continue down this path and accelerate the effort.